On 21^st August 2024, the Personal Data Protection Committee (PDPC) of Thailand’s Ministry of Digital Economy and Society (MDES) announced that it had issued a fine of THB 7 million on J.I.B. Computer Group Co., Ltd. (JIB) for violations of the Personal Data Protection Act (PDPA) following a data breach. The PDPC noted that it was the first administrative fine issued under the PDPA.

The PDPC reported that a data breach occurred at JIB, an online IT products retailer, leading to the unauthorized exposure of personal data to a call center group known for using such information to perpetrate fraud.

Following the investigation, the PDPC determined that the company had violated:

• Section 41 PDPA by failing to appoint a data protection officer (DPO), despite processing personal data for over 100,000 individuals as part of its core business;
   
• Section 37(1) PDPA by failing to implement appropriate security measures resulting in the data leak to the fraudulent group; and
   
• Section 37(4) PDPA by failing to take corrective action and notify the authorities of the data breach as soon as it became aware of the breach.

Furthermore, the PDPC together with the PDPA’s Expert Committee issued a corrective order by imposing JIB to (1) implement up-to-date security measures and (2) raise awareness of personnel within seven days of receiving the said order.

This landmark decision serves as a key reminder to all businesses (in both public and private sectors) in Thailand that that the government is taking personal data protection very seriously. Businesses with presence in Thailand must reassess and constantly update their personal data protection scheme to ensure they comply with the legal requirements under Thailand’s PDPA.